How Windows Vista Helps Protect Computers From Malware

How Windows Vista Prevents Malware

Published: September 6, 2006

Windows Vista is designed to block many types of common malware installation techniques. The sections that follow describe how Windows Vista protects against malware that attempts to install without the user’s knowledge using bundling and social engineering, browser exploits, and network worms.

Protecting Against Bundling and Social Engineering

Two of the most common ways malware becomes installed on a computer are bundling and social engineering. With bundling, malware is packaged with useful software. Often, the user is not aware of the negative aspects of the bundled software. With social engineering, the user is tricked into installing the software. Typically, the user receives a misleading e-mail instructing them to open an attachment or visit a Web site.

Windows Vista offers significantly improved protection against both bundling and social engineering. With the default settings of Windows Vista, malware that attempts to install via bundling or social engineering must circumvent three levels of protection:

UAC either prompts the user to confirm the installation of the software (if the user is logged on with an administrative account) or prompts the user for administrative credentials (if the user is logged on with a Standard account). This feature helps make Administrators aware that a process is trying to make significant changes and helps give them the opportunity to stop the process. For Standard users, it requires them to contact an Administrator or enter administrative credentials to continue the installation.

Windows Defender real-time protection scans executable files prior to running and blocks it if it is identified as malicious. Windows Defender also detects and stops changes the malware might attempt to make, such as configuring the malware to start automatically upon a reboot. Windows Defender notifies the user that an application has attempted to make a change and gives the user the opportunity to block or proceed with the installation.

To help protect against Windows Defender being unintentionally disabled, Windows Security Center will notify the user if no antispyware application is active. Windows Security Center will also notify the user if the Windows Defender definitions are out-of-date. This feature provides an additional layer of protection against users who accidentally disable Windows Defender.

Protecting Against Browser Exploit Malware Installations

Historically, many malware installations have occurred because the user visited a malicious Web site, and the Web site exploited a vulnerability in the Web browser to install the malware. In some cases, users received no warning that software was being installed. In other cases, users were prompted to confirm the installation, but the prompt might have been misleading or incomplete.

Windows Vista provides five layers of protection against this type of malware installation:

Protected Mode Internet Explorer provides only limited rights to processes launched by Internet Explorer, even if the user is logged on as an administrator. Malware launched from Internet Explorer has access to a limited set of directories.

Windows Defender scans downloads by Internet Explorer and also notifies the user if malware attempts to install itself as a browser helper object, start itself automatically after a reboot, or modify another monitored aspect of the operating system.

Windows Security Center notifies the user if Windows Defender is disabled or if the signatures are out-of-date. Additionally, Windows Security Center recommends that the user install antivirus software or download updated signatures, which can also block the malware.

Protecting Against Network Worms

While bundling, social engineering, and browser exploits all rely on the user to initiate a connection to a site that hosts malware, worms can infect a computer with no interaction from the user. Worms spread by sending network communications across a network to exploit a vulnerability in remote computers and install the worm. Once installed, the worm continues looking for new computers to infect.

If the worm attacks a Windows Vista computer, Windows Vista offers several levels of protection:

Windows Firewall blocks all incoming traffic that has not been explicitly permitted. This feature blocks the majority of current worm attacks.

If the worm attacks a patched vulnerability in a Microsoft component, Automatic Updates, enabled by default, may have already removed the security vulnerability.

If the worm exploits a vulnerability in a service that uses Windows Service Hardening and attempts to take an action (such as saving a file or adding the worm to the startup group) that the Windows Service Hardening profile does not allow, Windows Vista will help block the worm.

If the worm exploits a vulnerability in a user application, limited privileges enabled by UAC help block system-wide configuration changes.

Windows Security Center notifies the user if Windows Defender is disabled or if the signatures are out-of-date. Additionally, Windows Security Center recommends that the user install antivirus software and will notify the user if the signatures are not up-to-date, which can also block the worm.

The original release of Windows XP lacked all of these levels of protections. With Windows XP Service Pack 2, Windows Firewall and Automatic Updates are enabled, but the other levels of protection offered by Windows Vista are unavailable.